Release of Cuckoo-compatible onemon Windows kernel driver

2019-02-20

Jurriaan Bremer

Introduction

At Hatching we are continuously improving the behavioral analysis capabilities
used for dynamic analysis of malware. Today marks our first public release of
onemon, our successor of zer0m0n that is compatible with
Cuckoo Sandbox.

It should be noted that this release focuses solely on real-time process
memory scanning using Yara and subsequent process memory dumping if a match
has been found. It is therefore not a (complete) replacement for the
behavioral analysis capabilities present today in Cuckoo Monitor.

Furthermore, the work behind this release has been performed in collaboration
with CERT.PL and is co-financed by the Connecting Europe Facility of the
European Union, action no: 2016-PL-IA-0127.

What, why, and how?

To most malware researchers, the capability of performing memory dumps is a
crucial step for additional manual research. Some like to run entire VM memory
dumps through Volatility or Rekall while others use the "dumped" binary
(i.e., the payload binary as opposed to the packer that executes it) to
analyze the actual threat. Even just running strings(1) on memory dumps may
often give interesting results.

While we generally believe this is a good thing to do, we are not big on the
generation of entire Virtual Machine state snapshots that in practice often
take one to four gigabytes of storage (depending on how much RAM was assigned
to the VM).
Therefore Cuckoo Monitor and now onemon implement process memory dumping;
these process memory dumps often take less than 50-100 MB of storage, making
it much less heavy on the I/O side as well as HDD size required.

In onemon we have slightly optimized and generally improved the process
memory dumping strategy though. Instead of somewhat randomly, often at the
start of a new process and a few times during execution, performing a process
memory dump (as is the case in Cuckoo Monitor) we have opted for only dumping
process memory if there's a match against a configured Yara rule in the first
place. It should be mentioned that Cuckoo Monitor was also (primarily)
developed by yours truly, but that all newly developed techniques in onemon
are the conclusion of years of knowledge on the subject of malware sandboxing.

During an analysis, this release of onemon will scan processes against the
defined Yara rules at the following moments in time:

Upon creation of a new process.

Upon injection of an image through NtMapViewOfSection (Process Hollowing).

Upon resuming of a thread through NtResumeThread (Process Hollowing).

Once every second for each monitored process.

Upon termination of a process.

In the future, specific system calls may lead to Yara scans. E.g., in the past
various socket operations have been known to lead to good scanning
opportunities for process memory.

How to use it?

Using our onemon Windows kernel driver is as simple as applying the following
three steps to your Cuckoo environment:

Fetch the latest Cuckoo Community by running cuckoo community. This
will make sure your Cuckoo environment contains onemon.

Place a number of Yara rules that may be applied to process memory scanning
in $CWD/yara/dumpmem/, i.e., simplified rules for specific malware
families for which you'd like memory dumps. Ideally these Yara rules are
somewhat simplified for performance and don't include things like
"($mz at 0)".

Submit an analysis with the analysis=kernel option set. Through the
command-line this may look as follows:
cuckoo submit -o analysis=kernel sample.exe.

Ensure that your Virtual Machine has Patch Guard disabled & allows loading
of unsigned Windows kernel drivers. In order to do so, one may either boot
Windows in "test" or "debug" mode or use a tool like UPGDSED to patch the
VM.

Note that, for backwards compatibility reasons in Cuckoo, the driver is called
zer0m0n-x64.sys in the Cuckoo Community repository. This allows Cuckoo
to use it as-is with existing Cuckoo 2.0.6 and later installations.

After a successful analysis has been performed, one should be able to find one
or more memory dumps related to that specific malware family and analysis. It
is then possible to perform automated post analysis processing using roach,
an easy-to-use and modular library that exposes a fair bit of functionality
often used by malware samples. Roach is installed with Cuckoo by default and
attempts to abstract away numerous routines normally exposed by various 3rd
party libraries.

License

This version of our Windows kernel driver has been released to Cuckoo Sandbox
under a perpetual license, i.e., it may be used for both research as well as
commercial usage by anyone who deems that to be relevant.

While the development of onemon was originally inspired by zer0m0n, we
have completely overhauled the kernel driver. The codebase of onemon is
fully owned by Hatching, as it shares no code with zer0m0n. However, we do
want to thank Conix Security for their open source contribution of zer0m0n
towards Cuckoo Sandbox. Additionally, a number of other software licenses are
in use by onemon - a copy of the license headers may be found here.